Return-Path: Received: from ensim.rackshack.net (root@localhost) by orafaq.net (8.11.6/8.11.6) with ESMTP id h7SILfk12776 for ; Thu, 28 Aug 2003 13:21:41 -0500 X-ClientAddr: 66.27.56.212 Received: from www3.fatcity.com (rrcs-west-66-27-56-212.biz.rr.com [66.27.56.212]) by ensim.rackshack.net (8.11.6/8.11.6) with ESMTP id h7SILI312745 for ; Thu, 28 Aug 2003 13:21:20 -0500 Received: (from root@localhost) by www3.fatcity.com (8.11.6/8.11.6) id h7SFoVo27264 for oracle-l@orafaq.net; Thu, 28 Aug 2003 08:50:31 -0700 Received: by fatcity.com (05-Jun-2003/v1.0g-b73/bab) via fatcity.com id 005CDC29; Thu, 28 Aug 2003 08:49:28 -0800 Message-ID: Date: Thu, 28 Aug 2003 08:49:28 -0800 To: Multiple recipients of list ORACLE-L X-Comment: Oracle RDBMS Community Forum X-Sender: Jonathan Gennick Sender: ml-errors@fatcity.com Reply-To: ORACLE-L@fatcity.com Errors-To: ML-ERRORS@fatcity.com From: Jonathan Gennick Subject: Re: How to keep "root" out? Organization: Fat City Network Services, San Diego, California X-ListServer: v1.0g, build 73; ListGuru (c) 1996-2003 Bruce A. Bergman Precedence: bulk Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Thursday, August 28, 2003, 11:34:27 AM, Walter wrote: WK> We have a couple people in our Unix admin group that feel the need to "help" by WK> writing their own DB monitoring scripts. Of course, they don't know what they're WK> talking about. Why, the dasterdly do-gooders! How dare they! You know, one approach, and some might see this as heretical, is to simply give them a "safer" login that lets them query the V$ views. I'd probably let a sys admin look at those if he/she really wanted to, though I've been fortunate to always work with admins I trust not to go off the deep end and actually change anything without talking to me first. I've given developers access to V$ views on development and test instances. That never caused me any problems or grief. So you give your sys admins access, and you make it very clear that *you* are the DBA, and that if they find something significant, they should come to you about it; they should not make changes themselves. A good sys admin ought to understand that. After all, they are in much the same boat. They don't want you mucking about too much with the o/s. I wouldn't try to fight this battle by attempting to lock them out of your database in a technical manner, such as via a password protection. After all, they are the sys admins, and they can pretty much do anything. I'd approach this as a management issue. It is a management issue. Go to your management and point out that *you* are the DBA, that *you* have bottom-line responsibility for the databases, and make a case that your sys admins are abusing their privileges, and thereby compromising your ability to maintain a stable database environment. A good manager will understand that. But first I'd try to work with my sys admin in a more friendly manner. If he just wants to monitor, and is willing to commit to not making a *change*, then why not let him have at it? He might learn something about Oracle and become a useful ally. Or he might lose interest after awhile. Best regards, Jonathan Gennick --- Brighten the corner where you are http://Gennick.com * 906.387.1698 * mailto:jonathan@gennick.com Join the Oracle-article list and receive one article on Oracle technologies per month by email. To join, visit http://four.pairlist.net/mailman/listinfo/oracle-article, or send email to Oracle-article-request@gennick.com and include the word "subscribe" in either the subject or body. -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Jonathan Gennick INET: jonathan@gennick.com Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: ListGuru@fatcity.com (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).